Oops, I broke password reset for like three and a half years

SpindleyQ's picture

Hey, remember back in 2013 when I updated the password database to not use unsalted md5 for password hashing?

Wellll apparently that change broke password reset links with some regularity. (Occasionally a working password reset link would be sent out if you were persistent.) So if you've been trying to reset your password and it hasn't been working, try again! It should work every time now!

And remember: If you're having trouble logging in, or the site is broken for you in some way, please email me and let me know! I'm friendly and want to help and can definitely fix your problem!

Thanks to denson for the bug report that finally led me to track down and fix the issue.

I switched to using bcrypt for password hashing. But it turns out that the password reset link uses the password hashing function to generate its url, and bcrypted hashes can contain the "/" character. Which meant that if the hash happened to contain a "/", then during URL parsing only the part of the hash up to the first "/" would be checked, and of course it would decide that the hash didn't match and throw a cryptic error.